|
Thanks for sharing it (also investigating on how) -
Also, this also tells that somehow your email was leaked from your cable operator office.
|
|
|
|
|
Sandeep Mewara wrote: somehow your email was leaked from your cable operator office. Not necessarily. Spammers send emails to everyone they can.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
Probably a coincidence then spammers used that cable website and OP happens to have that connection.
|
|
|
|
|
It seems that the server side is taken over, or it is an inside job...
That page is not part of the UI, and returns differently on every combination of parameters...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
It could just a loophole in their security - it may be that someone, who has an account with the company, has posted a cross site script in a field on their account which causes the site to redirect when the state variable, passed in the header, is parsed.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Of course... What made me think of a inside-job, is that this page (address) is can not be revealed scanning the site... it is a page should be only know to someone who saw the server...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
It would certainly be interesting to find out what is going on.
I navigated to the /learn/signin-cima page which then loads a blank page.
(CIMA could be the Chartered Institute of Management Accountants)
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
GuyThiebaut wrote: I navigated to the /learn/signin-cima page which then loads a blank page.
I played with the parameters, and found that the value of code is irrelevant (but must be present), while state not only have to be there, but also have to have that exact value to do the actual redirection...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
The state value is 32 bytes long so I am going to take a guess that it is a 32 byte hash.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Nope,
It is just a coincidence that the state string length is 32 bytes long. It's simply a UTF-8 base64 encoded URL being passed to a CGI script. With a little investigating I see that you can pass any URL to the script and it will send back a location header redirecting the browser.
This will redirect you back to codeproject.com:
https://www.xfinity.com/learn/signin-cima?code=0.ac.jHKtzD&state=aHR0cHM6Ly93d3cuY29kZXByb2plY3QuY29t
This should be reported to Security Vulnerability Report[^]
Best Wishes,
-David Delaune
|
|
|
|
|
Randor wrote: It's simply a UTF-8 base64 encoded URL being passed to a CGI script
That's explain why randomly changing state , was useless...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Nice work
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Thanks,
I only spent 5-10 minutes of looking into it. What's interesting is that even the domain name of "feellixs" seems to be very well designed. The hamming distance from netflix... it seems to be chosen to pass through a Bayes classifier undetected.
Best Wishes,
-David Delaune
|
|
|
|
|
You're welcome, as someone who works as a 'full stack' developer(I sigh using that term) it's always good to learn from others and discover where security vulnerabilities exist on sites.
Given what you have discovered it sounds like very poor webdesign to redirect to a site not on the hosting domain based on a parameter in the header.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Thank you David, I have reported it.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
You are welcome.
If you get a reward for reporting the vulnerability please consider donating a portion of that to a charity of your choice.
Best Wishes,
-David Delaune
|
|
|
|
|
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Curious to know if they contact you or close the bug
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
My money is on a cease-and-desist letter. The larger the company, the more I'd put on that bet.
|
|
|
|
|
I'll post the resolution once it happens.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Richard Andrew x64 wrote: aHR0cHM6Ly9mZWVsbGl4cy5jb20vP2Jz contains information that decodes into https://feellixs.com/?bs
Looks like they are fishing for your Netflix password.
3307501017[^]
3307500963[^]
Domain is 1 day old. Certificates are also 1 day old.
Best Wishes,
-David Delaune
P.S.
It's not an accident that the site went live on a Saturday. They are taking advantage of the fact that the network operations is closed and minimally staffed over the weekend. Unfortunately they will get a full 48 hours of fishing for Netflix password before being shut down on Monday.
modified 30-Aug-20 5:28am.
|
|
|
|
|
Interestingly - and espite it's being a new registration - Chrome and Firefox blocks this page...
It is actually try to mimic Netflix login page (I can see it on Edge)... Which should be more than suspicious, as the original mail is from the ISP, so how it landed you on Netflix...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Well,
Most e-mail providers filter out SPAM links. I am guessing that https://www.xfinity.com/* is white listed and that's the core value of this vulnerability. Since @Richard-Andrew-x64 is a customer he should report this to the Comcast Security team.
Security Vulnerability Report[^]
Best Wishes,
-David Delaune
|
|
|
|
|
How on Earth did you figure out what that decodes to?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Good to see that when browsing from my work right now (may not matter that there are filters the average surfer wouldn't have because it seems to be a Chrome thing) I see the following screen with a bright red background from Chrome:
Deceptive site ahead
Attackers on feellixs.com may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards). Learn more
Help improve security on the web for everyone by sending URLs of some pages you visit, limited system information, and some page content to Google. Privacy policy
Google Safe Browsing recently detected phishing on feellixs.com. Phishing sites pretend to be other websites to trick you.
You can report a detection problem or, if you understand the risks to your security, visit this unsafe site.
|
|
|
|